Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Extracting signatures from Apple .apps - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Extracting signatures from Apple .apps

As an add-on to ISC Handler Lenny Zeltser's earlier diary on extracting certificates from signed Windows binaries, here's how to do the same on a Mac. Given that today's blog over at F-Secure documents a screenshot-taking Mac spyware that is signed with a developer ID, signed bad .apps might actually be more prevalent than expected.

To verify and extract signatures and certificates on an Apple .app, you can do (example

codesign -dvvvv --extract-certificates  /Applications/

This will save the certificates in DER format, named codesign0, codesign1, etc. These can then be displayed as usual with OpenSSL

openssl x509 -inform DER -in codesign0 -text



385 Posts
ISC Handler
May 16th 2013

Sign Up for Free or Log In to start participating in the conversation!